SkarpChapter 23 of 25
Security Compliance, Audits, and Program Metrics
See how organizations prove they are doing what they say by connecting compliance requirements to audits, assessments, and measurable security program performance.
Big Picture: Why Compliance, Audits, and Metrics Matter
Three Connected Ideas
You will connect three ideas: compliance, audits and assessments, and metrics. Together, they show whether a security program is actually working, not just documented on paper.
Where This Fits in Security+
This content sits mainly in Security Program Management and Oversight, but also touches Security Operations and Security Architecture. Expect short scenarios about compliance, audits, and metrics.
Rules, Referees, Scoreboard
Laws, regulations, standards, and contracts set the rules. Policies and procedures are your playbook. Audits are the referees. Metrics and reports are the scoreboard.
Why Evidence Matters
In modern hybrid environments, regulators, customers, cyber insurers, and leadership expect evidence of security, not just promises. That is why the exam cares about compliance, audits, and metrics.
Security Compliance: What Are We Complying With?
Definition of Security Compliance
Security compliance is adherence to applicable laws, regulations, standards, and contractual obligations. If you commit to it, you are expected to follow it.
Laws and Regulations
Examples: GDPR (EU personal data), HIPAA Security Rule (US health data). These are government‑backed and mandatory where they apply.
Standards and Frameworks
Examples: ISO 27001, NIST CSF, CIS Controls. Often voluntary but widely expected. Organizations use them to structure and prove security maturity.
Contracts and Internal Policies
Contracts add security promises to customers and vendors. Internal policies are binding inside the organization; breaking them is a compliance gap.
From Requirements to Controls: Making Compliance Concrete
Turning Rules into Controls
Compliance becomes real when you translate laws, standards, and contracts into concrete security controls and day‑to‑day practices.
Mapping Requirements
Example: GDPR Article 32 maps to encryption, access control, backups, and DR plans to protect confidentiality, integrity, and availability.
Control Frameworks and Documentation
Organizations use frameworks like ISO 27001 or NIST 800‑53 and document control owners, descriptions, frequency, and evidence.
Control Types Reminder
Know the 10 control types: technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.
Audits vs Assessments: Internal and External Views
What Is an Audit?
An audit is a structured, often independent check against defined criteria. It is formal, evidence‑driven, and usually has a pass/fail flavor.
What Is an Assessment?
An assessment evaluates security posture and risk more broadly. It is often advisory, like vulnerability assessments, pen tests, and gap analyses.
Internal vs External
Internal activities are done by staff; external ones by third parties. Internal work prepares you for external reports to customers and regulators.
Common Exam Trap
A penetration test is an assessment, not an audit. PCI DSS work by a QSA behaves like an audit but is still a formal compliance assessment.
Walkthrough: Internal vs External Audits and Assessments
Scenario Overview
A payment company in a hybrid environment runs several security activities. Your job is to classify each as internal or external, audit or assessment.
Internal Vulnerability Scans
Quarterly internal scans run by the security team are internal assessments. They check posture, not formal compliance.
SOC 2 Examination
An independent firm performing a SOC 2 Type II and issuing a report is doing an external audit focused on control effectiveness.
Red Team and Policy Review
An external red team is an external assessment. An internal policy conformance review by internal audit is an internal audit.
Security Metrics: Measuring Control Effectiveness and Program Maturity
Why Metrics Matter
Metrics convert security work into numbers and trends that leadership can understand. They should be relevant, reliable, and actionable.
Control Effectiveness Metrics
Examples: patch compliance rates, access review completion, phishing click‑through rates, backup success rates, recovery times.
Program Maturity Metrics
Examples: policy coverage, training completion, MTTD and MTTR, percentage of incidents with root cause analysis.
Exam Tip on Metrics
For control effectiveness, pick metrics that measure whether a control is working (for example, patch coverage), not just raw event counts.
Thought Exercise: Designing Simple Security Metrics
Use this exercise to practice turning activities into metrics. You do not need to calculate numbers; focus on what you would measure and why.
- Scenario A: Patch management
- Your organization has a policy: “Critical security patches must be applied to all servers within 14 days of release.”
- Question: Propose two metrics that would show whether this control is effective.
- Think: How many servers are in scope? How do you know if they are patched on time?
- Scenario B: Phishing awareness
- The security team runs quarterly phishing simulations.
- Question: Propose two metrics that measure both short‑term behavior and longer‑term program maturity.
- Think: How do you show improvement over time, not just one campaign?
- Scenario C: Access review process
- Managers must review their team’s access quarterly.
- Question: Propose two metrics that help you see if this process is working and improving.
Pause and write down your answers in a notebook or notes app. Then compare to the sample ideas below.
Sample ideas to compare with your own:
- Patch management: percentage of servers patched within 14 days; number of overdue critical patches per month.
- Phishing awareness: phishing click‑through rate per campaign; percentage reduction in clicks over the last 4 campaigns.
- Access reviews: percentage of access reviews completed on time; number of inappropriate access rights removed per quarter.
On the exam, when you see “which of the following is the best metric to show improvement in X?”, look for metrics that can be tracked over time and are clearly connected to the control.
From Audit Findings to Risk Management and Improvement
What Are Findings?
Audits and assessments generate findings: noncompliance, observations, and sometimes strengths. Findings highlight where controls fail or could improve.
Findings and Risk
Each finding should be tied to a risk scenario. For example, no MFA for remote access increases the risk of account compromise and data breach.
Remediation and Tracking
Findings become remediation tickets with owners and deadlines. Metrics track open findings, remediation time, and closure rates.
Driving Continuous Improvement
Repeated findings show deeper issues in governance, risk, and compliance. The right response is analysis, prioritization, and program improvement.
Quick Check: Compliance and Audits Basics
Answer this question to reinforce key distinctions between compliance, audits, and assessments.
A company hires an independent firm once a year to verify that its controls meet the requirements of a recognized standard. The firm reviews policies, interviews staff, inspects evidence, and issues a formal report that customers use to judge the company. Which option BEST describes this activity?
- An internal security assessment focused on posture
- An external audit that checks compliance with a standard
- A penetration test designed to find exploitable vulnerabilities
- A continuous monitoring program using automated tools
Show Answer
Answer: B) An external audit that checks compliance with a standard
This is an external audit: it is performed by an independent firm, checks controls against a defined standard, and produces a formal report for customers. Internal assessments are done by internal teams. Penetration tests focus on exploiting vulnerabilities, and continuous monitoring is ongoing, not annual and report‑driven.
Quick Check: Metrics and Control Effectiveness
Test your ability to pick the most meaningful metric.
Which metric BEST demonstrates the effectiveness of a critical patch management process?
- Total number of vulnerabilities discovered on all systems
- Number of servers in the organization
- Percentage of critical vulnerabilities remediated within the defined timeframe
- Number of security staff assigned to patching activities
Show Answer
Answer: C) Percentage of critical vulnerabilities remediated within the defined timeframe
The percentage of critical vulnerabilities remediated within the defined timeframe directly measures whether the patching control is working as intended. The other options are context but do not show control effectiveness.
Key Term Review: Compliance, Audits, and Metrics
Flip through these flashcards to reinforce core terms and distinctions you will see on Security+ questions.
- Security compliance
- Adherence to applicable laws, regulations, standards, and contractual obligations, as well as formally adopted internal policies and procedures.
- Audit (security context)
- A formal, structured review that checks conformance to defined criteria (such as a regulation, standard, contract, or policy), usually evidence‑based and often performed by an independent party.
- Security assessment
- An evaluation of security posture, risks, and control effectiveness that is usually broader and more advisory than a formal audit, for example vulnerability assessments or penetration tests.
- Internal vs external audit
- Internal audits are performed by staff within the organization, usually for improvement and preparation. External audits are performed by independent third parties and often produce reports for customers or regulators.
- Security metric
- A quantitative or qualitative measure used to track and communicate security control performance or program maturity over time.
- Control effectiveness metric
- A metric that directly measures whether a specific security control is operating as intended, for example the percentage of systems with current patches.
- Program maturity metric
- A metric that reflects the overall development and robustness of the security program, such as training completion rates or incident response times.
- Audit finding
- A documented result from an audit or assessment, such as a nonconformity, observation, or recommendation, which typically requires risk analysis and remediation.
- Governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.
- Continuous improvement (security program)
- An ongoing process where audit findings, incidents, and metrics are used to adjust controls, policies, and processes to better manage risk over time.
Scenario Practice: Spot the Gaps and Next Steps
Apply what you have learned to two short scenarios. Think through them before checking the sample reasoning.
- Scenario 1: Cloud backup confusion
- A company’s policy states that all critical databases must have daily backups stored in a separate region. During an internal audit, the auditor finds that one production database in a cloud environment only backs up weekly and stores backups in the same region.
- Questions for you:
- What kind of issue is this (policy, regulatory, contractual)?
- What are the likely risks?
- What should the security team do next?
- Sample reasoning:
- This is a policy noncompliance and potentially a contractual issue if availability SLAs depend on backups.
- Risks: data loss, extended downtime after a regional outage.
- Next steps: log an audit finding, assess risk, prioritize remediation (fix backup schedule and region), and track closure.
- Scenario 2: Impressive‑looking but weak metrics
- A security manager reports to the board: “We blocked 10 million attacks last quarter.” No additional context is provided.
- Questions for you:
- Why is this a weak metric for decision‑making?
- Propose one stronger metric that would better show control effectiveness or risk.
- Sample reasoning:
- It is a weak metric because it lacks context (severity, success rate, trends). It could even indicate noisy logging rather than real threats.
- Stronger metrics: percentage of detected attacks that were successfully blocked; number of confirmed security incidents by category; trend of phishing click‑through rate.
On Security+, when you see scenario questions, look for: what requirement applies, what the gap is, what risk it creates, and what action logically follows (often risk analysis and remediation).
Key Terms
- audit
- A formal, structured review that checks conformance to defined criteria using evidence, often performed by an independent party.
- audit finding
- A documented result from an audit or assessment, such as a nonconformity or observation, that typically requires analysis and remediation.
- external audit
- An audit performed by an independent third party, often resulting in a formal report used by customers, regulators, or leadership.
- internal audit
- An audit performed by staff within the organization to check compliance with policies, processes, or standards and to support improvement.
- security metric
- A measure used to track and communicate security control performance or program maturity over time.
- program maturity
- The overall development, consistency, and robustness of a security program across processes, technology, and people.
- security assessment
- An evaluation of security posture, risks, and control effectiveness that is usually broader and more advisory than a formal audit.
- security compliance
- Adherence to applicable laws, regulations, standards, contractual obligations, and formally adopted internal policies and procedures.
- control effectiveness
- The degree to which a security control operates as intended to reduce risk.
- governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.